CVE-2025-53009: MaterialX Stack Overflow via Lack of MTLX XML Parsing Recursion Limit

July 31, 2025 (updated November 10, 2025)

When parsing an MTLX file with multiple nested nodegraph implementations, the MaterialX XML parsing logic can potentially crash due to stack exhaustion.

References

github.com/AcademySoftwareFoundation/MaterialX
github.com/AcademySoftwareFoundation/MaterialX/issues/2504
github.com/AcademySoftwareFoundation/MaterialX/pull/2505
github.com/AcademySoftwareFoundation/MaterialX/releases/tag/v1.39.3
github.com/AcademySoftwareFoundation/MaterialX/security/advisories/GHSA-wx6g-fm6f-w822
github.com/ShielderSec/poc/tree/main/CVE-2025-53009
github.com/advisories/GHSA-wx6g-fm6f-w822
nvd.nist.gov/vuln/detail/CVE-2025-53009

Code Behaviors & Features

Detect and mitigate CVE-2025-53009 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →